Total Pageviews

Contributors

Google+ Followers

Sunday, 13 April 2014

From last few days Heartbleed trending on the internet and saying to the
internet, I am the evil. People are calling this bug as "Biggest Security
Threat" to the internet. Some Websites called this bug
"Catastrophic".

I was Gawked to know i was not safe since 2011 December Since OpneSSL
included Heartbeat Extension.

Background

This heartbleed bug is on internet since 2011 December and it got fixed
a week ago .First it was found by Google Security team member NEEL MEHTA and a software firm called CODENOMICON. Codenomicon took the initiative about
this bug and created a website for the information and solution of this bug i.e http://heartbleed.com.

Why we Need SSL ?

Before getting dive into the HeartBleed , i would like to tell you about
why we need SSL (Secure Cocket Layer) also known as TSL (Transport security
layer).

Usually we send the password,personal details,credit card details,
selfie pics, social media posts over the internet .

To encrypt such details we used HTTPS. To ensure any malicious person
can not intercept these details we use OpenSSL. Which is a open source software
for the implementation of SSL on the web.

But all the SSL implemented HeartBeat extensions are vulnerable to
HeartBleed. Through HeartBeat extension attacker can read the client/server
memory(64kb at a time) .

What
is Heartbeat Extension ?

OpenSSL introduced an extension Heartbeat to keep seesion alive for
longer time and to avoid reestablishment of sessions. Heartbeat introduced in
OpnSSL with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS
Heartbeat Extension. Heartbeat messages can be sent without authenticating with
the server.For every request there might be a Heartbeatrequest and a
Heartbeatresponse.

Basically
using idea of Heartbeat , client can send a Heartbeatrequest and server will
have to respond with Heartbeatresponse.

The total length of a HeartbeatMessage(request/response) can NOT exceed
2^14 or max_fragment_length when negotiated as defined in [RFC6066]. So we are
only able to leak 64 kb of memory and that could easily have usernames/password
or any random information.

Which OpenSSL
versions are vulnerable and Who are vulnerable to Heartbleed ?

Heartbleed is only exploit where vulnarable OpenSSL software has
installed .Vulnerable versions are:

1.0.1

1.0.1a,

1.0.1b,

1.0.1c,

1.0.1d,

1.0.1e,

1.0.1f,

1.0.2-beta1.

OpenSSL are installed mostly on the Apache servers and nginx servers.
According to the Netcraft Half a million trusted websites are
vulnerable to this Heartbleed Bug. Image Courtsey Netcraft : LINK

Are windows server safe ?

Being a .Net developer this is the first thing came into my mind, Are
the websites developed by me and deployed on the Windows server using IIS are
safe ?

According to the Microsoft they do not include OpenSSL and are not
vulnerable to this Heartbleed. Microsoft has their own encryption component
called SChannel (Abbreviated as Secure Channel) .But Those client which are
running softwares on OpenSSL instead of Schannel are
vulnerable to this threat.

About

Blogroll

This is a personal Blog. Articles , Tips and Code expressed here represent my own and not those of my employer.I have documented my personal experience on this blog.I will not be liable for any losses, injuries, or damages from the display or use of this information.